Samsung Knox 101: Understanding Samsung’s mobile security platform

Enterprises everywhere are recognizing how mobile technology can empower employees and enhance customer experiences, but they face two big challenges to leverage their full potential.

First, as mobile device use cases become more sophisticated for business, so do the requirements for configuring, managing and supporting these devices. Secondly, with smartphones and tablets accessing sensitive data and apps, mobile security becomes all the more critical.

Samsung Knox is designed to help overcome these two challenges by making Samsung Galaxy smartphones the most manageable and most secure mobile phones on the market. An extension of Android Enterprise (AE) architecture, the Knox platform delivers unique, granular security and management features that meet organizations’ fast-evolving mobility needs.

Knox is Samsung’s brand for a wide suite of technologies, products and services that all work together to build mobility solutions with defense-grade security and management. From secure hardware to real-time protection and a comprehensive set of advanced security solutions, Knox enables people and organizations to make the most of Samsung Galaxy devices without having to worry about security. All a user has to do is turn on their phone and go about their day, while Knox goes to work.

To understand Samsung Knox, we’ll review three different layers:

• The Knox base, built into the hardware and Android OS of all of Samsung’s latest mobile devices
• Knox Platform for Enterprise (KPE), a software toolkit and set of application programming interfaces (APIs) providing enhanced security and management for enterprises building sophisticated mobility solutions
• Knox cloud-based management tools and services that can be licensed to run on top of the Knox platform

First layer: Mobile device security built on Android Enterprise

When it comes to cybersecurity solutions, the key word is trust. That trust begins with hardware. Knox is physically built into all Galaxy smartphones, tablets and wearables to protect device data. Developed on the principles of trusted computing — and with a hardware root of trust (RoT) to verify the device’s integrity at boot-up — Knox provides a secure foundation for enterprise mobile initiatives.

Again, the Knox platform is not something that’s purchased, downloaded or installed; it’s part of every Samsung mobile device. The technologies forming Knox’s base are a combination of Galaxy hardware, firmware and Samsung’s extensions to Android Enterprise, all working together to ensure device manageability, integrity and security.

Malicious code can intrude on any single OS layer, or several of them. Knox’s holistic approach to securing a mobile device’s OS and data protects against diverse threats, from a variety of sources and threat vectors.

Knox starts with protective technologies at the chip level, known as TrustZone, that isolate highly sensitive computations from the rest of the device’s operations. Then, it uses real-time kernel protection to constantly inspect the core of the OS during runtime. Finally, Knox layers in Samsung’s security enhancements for Android, protecting apps and data by strictly defining what each process is allowed to do and what data it can access. These three sub-layers all work together as part of Knox Vault to deliver integrated and hardened security from the moment the device is powered on.

Through these measures, the Knox platform has met certification requirements from NIAP’s Common Criteria and NIST’s FIPS 140-2 and received multiple Defense Information Systems Agency STIGs for classified use. Knox security is, literally, defense-grade.

Second layer: Knox Platform for Enterprise

On top of the Knox base of hardware, firmware and device security added to the core Android Enterprise OS, Samsung has built Knox Platform for Enterprise (KPE). This layer of Knox delivers APIs and additional features that meet the management and security requirements of enterprises — especially highly regulated enterprises in finance and healthcare — as well as government agencies. The KPE layer touches all aspects of Android management and security: granular device configuration, kiosk configurations, security options, device setting restrictions, preconfiguration of VPN, firewall and email apps, app controls and more. All are licensed at no extra charge and available through mobile device management (MDM) products and apps built using the Samsung Knox software development kit (SDK).

These first two layers of Knox are the key to compliance with the advanced security requirements of programs such as the National Security Agency (NSA)’s Commercial Solutions for Classified (CSfC) program, the National Information Assurance Partnership (NIAP) and the U.K.’s End User Device (EUD) guidance.

Advanced security requires, for example, that a phone support dual layers of encryption when data is at rest or in transit. Agencies and enterprises can satisfy this requirement with the KPE feature Samsung DualDAR (or Dual Data-at-Rest), which double-encrypts data inside a Galaxy device’s work profile, using two independent crypto modules. Knox DualDAR also allows third-party crypto modules for inner-layer encryption. For dual-layered encryption of data in transit, Knox enables Secure Wi-Fi access even on public networks. These details make Samsung one of the most secure mobile phone providers and the only one to address requirements like CSfC and EUD to the letter.

Good management is part of strong security, so KPE includes deep customization options. These allow businesses to streamline their device deployments, with the added flexibility of granular device management and enforceable app management capabilities. By integrating with Managed Google Play, for example, IT admins can allowlist and blocklist specific apps for specific users.

Another KPE feature that supports device management is Knox Separated Apps. Enterprises that have deployed Android Enterprise (AE) fully managed devices may want to separate work apps (and their data) from unapproved apps. Knox Separated Apps lets IT admins define these unapproved apps that aren’t fully vetted from a cybersecurity perspective: Think apps such as Uber for ride-sharing or Fly Delta for travel. Knox Separated Apps isolates these useful but untrusted apps and their data while ensuring employees have access to the tools they need on their company-managed mobile devices. Samsung Auto Blocker can stop the side-loading of apps from unknown sources, even if a user accidentally approves it.

While IT sets the overarching parameters for device and data management across an organization, users, too, have a hand in creating a secure digital environment. Permission Manager, for example, enables control over sensitive data like photos and key functions.

The Knox solution set

Samsung knows that enterprises need their key technology partners to work together. The Knox solution set provides a secure foundation for enterprise mobility management (EMM) tools, both on-premises and in the cloud. Samsung has collaborated closely with many of the leading MDM software providers, including Airwatch, BlackBerry and MobileIron, to ensure tight integration between the Knox platform and their device management tools.

Samsung has developed its own set of cloud-based software solutions to meet specific enterprise needs, all building on top of the technologies in Knox. This solution portfolio, which can be licensed and accessed through the Knox portal, is designed to assist mobility managers throughout a device’s life. Here are the Knox solution portfolio’s key offerings for mobile security:

• Knox Configure: Providing businesses with advanced configuration and customization capabilities, Knox Configure can help you meet unique business needs, including device setup, rebranding, kiosking and feature restrictions. Your Samsung phones and tablets can be configured remotely — the moment they’re powered on and connected to Wi-Fi or cellular data. You can create profiles to automatically provision their apps and content, remove unnecessary preloaded apps, enroll in an MDM solution and configure virtually any setting. Knox Configure lets you skip lengthy setup wizards, so devices are ready to go in minutes, with all the same exact settings. If a user factory-resets the device, it’s automatically returned to the configuration you designed. You can also transform mobile devices into bespoke business tools, limit a device to running a single app (while locking down device settings) or customize the user experience.
• Knox Mobile Enrollment (KME): KME provides the quick out-of-the-box experience everyone is looking for. Providing free zero-touch deployment, Knox Mobile Enrollment (KME) automatically adds each of your devices to your EMM solution once your IT team has prepopulated its user credentials. End users can skip setup wizards and account registrations, so they get up and running faster. With KME, you can ensure all your devices stay enrolled in your EMM system. If an end user or an outside threat performs a factory reset or uninstalls the EMM agent, KME can reinitiate the enrollment process automatically. Your IT team can also enable Android factory reset protection so that a device can be recovered even if the user’s credentials are lost. The most recent version of KME also makes it easy to clone a standard profile into an advanced profile, and bulk profile assignments can be done without user passwords.
• Knox Guard: When corporate smartphones are lost or stolen, Knox Guard provides an inexpensive option to protect and control access to these devices — and the data they hold. IT managers can use Knox Guard to lock and even wipe devices using technologies that can’t be bypassed, don’t use an installed client and don’t require a network connection. Knox Guard capabilities are built into all Samsung smartphones and tablets, and operate using built-in BIOS and TrustZone security — meaning a factory reset or OS reinstall won’t disable the Knox Guard protections.
• Knox Enterprise Firmware Over-the-Air (E-FOTA): Providing enterprises with control over their software updates, Knox E-FOTA gives your business the power to validate, approve and deploy new versions of your OS across your device fleets without any end-user interaction. You can test and validate firmware updates in advance to uncover potential compatibility issues, and schedule deployments by device group and time of day, minimizing workflow disruptions. You can even factor in other criteria like Wi-Fi access and battery life. Knox E-FOTA is integrated with leading EMM solutions, so you can pull existing device and group information from your EMM to streamline your firmware management.
• Knox Manage: Samsung’s cloud-based EMM solution made for small and medium-sized businesses (SMBs), Knox Manage can be used to manage Android, iOS or Windows 10 devices, though it provides the most comprehensive feature set for Galaxy devices with the integrated Knox platform. Knox Manage provides IT admins with hundreds of policies — including all the essentials, like allowlisting and blocklisting. It also supports remote device control, event-based management, device location tracking and remote wipe. You can even lock the device and display a message on the screen when it’s lost or stolen.
• Knox Asset Intelligence (KAI): Building on other Knox solutions, KAI is a cloud-based data analytics tool that provides in-depth insights into mobile device performance and usage across an entire fleet from the moment they’re deployed. With real-time reporting capabilities, KAI offers IT admins clear visibility into device-specific data, including connectivity and GPS-based location tracking, device health, battery usage and app stability. Your IT team has access to all of this data in a single, user-friendly cloud console, allowing them to make better-informed decisions. They’re able to view the status of each device, monitor how they’re being used and detect any performance issues.

Knox has come a long way since Samsung introduced the platform back in 2013, but the fundamentals remain the same: Knox secures Android mobile devices through hard-wired protections while also serving specific management and data security needs. In newer Galaxy devices with Galaxy AI,* Knox answers important questions and delivers effective solutions to keeping AI secure for business.

Knox demonstrates Samsung’s commitment to mobile device security and ensuring its enterprise customers’ data is always safe on Galaxy mobile devices, providing peace of mind for IT teams and giving users freedom in both work and leisure.

Get 10 essential tips to keep your mobile device secure in our free guide. And find out more about how Samsung Knox Suite provides an end-to-end solution for complex mobile security needs.

*Galaxy AI features by Samsung will be provided for free until the end of 2025 on supported Samsung Galaxy devices.